|
|
|
Chapter 12. An Introduction to Tailoring OCTAVETailoring is a rather generic term. Chapter 2 described the requirements of the OCTAVE approach as a set of principles, attributes, and outputs. The OCTAVE Method was designed to be consistent with those requirements. When we designed the OCTAVE Method, we realized that evaluating information security risk is so contextual that no single implementation of the requirements could be designed for universal use. For example, the needs of small organizations differ drastically from those of large organizations. The way in which organizations choose to implement the OCTAVE approach will vary, based on the characteristics of each organization. We designed the OCTAVE Method to be easily modified to meet the needs of many organizations. So what do we mean by tailoring? Almost any option that doesn't violate the basic set of requirements of the OCTAVE approach qualifies, and that list is very long. This chapter describes a variety of tailoring options, and Chapter 13 presents several practical implementations based on these options.
|
|
|
|